Professional Documents
Culture Documents
8steps Secure Cisco
8steps Secure Cisco
Daniel B. Cid
daniel@underlinux.com.br
Network security is a completely changing area; new devices like IDS (Intrusion
Detection systems), IPS (Intrusion Prevention systems), and Honeypots are modifying the
way people think about security. Companies are spending thousand of dollars on new
security devices, but forgetting the basic, the first line of defense: the border router.
Although a lot of people may think that routers dont need to be protect, they are
completely wrong. A lot of secure problems appear all time against this kind of device
and most of them are vulnerable.
Some information about some common security problems found on Cisco Routers, can
be read on the text Exploiting Cisco Routers, available at:
http://www.securityfocus.com/infocus/1734
In this article I will give you 8 steps, easy to follow, to minimize your Cisco router
exposure by turning off some unused services, applying some access control and
applying some security options available on that.
12345678-
4- Restrict SNMP
SNMP must always be restrict, unless you want some malicious person getting a lot of
information from your network
access-list 112 deny udp any any eq snmp
access-list 112 permit ip any any
interface x0/0
access-group 112 in
And if you are not going to use SNMP at all, disable it:
no snmp-server
All other passwords, you can encrypt using the Vigenere cipher that is not
Very strong, but can help. To do that, you can use the service password-encryption
Command that encrypts all passwords present in you system.
service password-encryption
no ip http server
6.4 - Disable ntp (if you are not using it)
ntp disable
8- Log everything
To finish, you must log everything on an outside Log Server. You must everything from
all your systems and always analyze the logs.
Conclusion
With these simple steps you can add a lot of security to your router, protecting it against a
lot of possible attacks, increasing your network security.
Only as an example, you can see the nmap result before and after applying these options:
Before: